Data Protection Policy
Date of review: 17 January 2018
Date of next review: January 2019
The Thanet commits to abide by the Data Protection Act 1998 in all areas of its operation. All members of staff and volunteers are expected to work within this legislation, and this policy sets out in detail the procedures in place to ensure that personal data relating to:
- service users
- employees – current and past
- job applicants
is treated in an appropriate way.
Brief introduction to Data Protection Act 1998
The Data Protection Act gives individuals the right to know what information is held about them. It provides a framework to ensure that personal information is handled properly.
The Act works in two ways. Firstly, it states that anyone who processes personal information must comply with eight principles, which make sure that personal information is:
- Fairly and lawfully processed
- Processed for limited purposes
- Adequate, relevant and not excessive
- Accurate and up to date
- Not kept for longer than is necessary
- Processed in line with the rights of Data Subjects
- Not transferred to other countries without adequate protection
The second area covered by the Act provides individuals with important rights, including the right to find out what personal information is held on computer and most paper records.
- Definition of Terms
Listed below are the definitions of certain key terms as they are used in this policy.
- The Act – The Data Protection Act 1998.
- Data Controller – A person who, either alone or jointly or in common with other persons, determines the purposes for which, and the manner in which, any personal data is or is to be processed. The Data Controller for The Thanet is Victoria Green, Coordinator.
- Data Processor – Any person (other than an employee of the data controller) who processes the data on behalf of the data controller. This includes, for example, external payroll companies, consultants and fundraising agencies.
- Data Protection Officer – The day-to-day contact for data protection queries. The Data Protection Officer for The Thanet is Victoria Green, Coordinator.
- Data Subject – the identifiable living person to whom personal data relates.
- Personal Data – data, whether facts or opinions, which relate to a living individual who can be identified either from the data or from the data in combination with other information that is in the possession of, or likely to come into the possession of, the Data Controller.
- Processing – any operation or set of operations carried out on personal data. This includes obtaining, recording, holding, organising, adapting, altering, retrieving, consulting, disclosing (by transmission, dissemination or otherwise making available), and analysing, aligning, combining, blocking, erasing or destroying the data.
- Relevant Filing System – the Data Protection Act 1998 covers all data held within a relevant filing system. This includes any set of information relating to individuals that is structured, either by reference to individuals or by reference to criteria relating to individuals, in such a way that specific information relating to a particular individual is readily accessible. The Data Protection Commission has indicated that this definition will be interpreted broadly to include, for example, application forms and other papers stored in a manager’s desk.
- Sensitive Personal Data – data relating to racial or ethnic origin, political opinions, religious or other beliefs, trade union membership, health, sex life, criminal proceedings or convictions.
- The Conditions For Processing Personal Data (Excluding Sensitive Personal Data)
In accordance with the Act, personal data must be processed fairly and lawfully by staff and volunteers and, in particular, must not be processed unless at least one of the following conditions has been met.
- The data subject has given his or her consent to the processing – data subjects should therefore be made aware of the purposes for which their data will be used and should be advised whom to contact if they wish to discuss the processing of their data. This should be done at the earliest reasonable opportunity after personal data that is not generally in the public domain is obtained about the data subject. The following procedures should therefore be followed.
- The processing is necessary for performance of a contract – this condition can be broadly interpreted to cover much of the processing of employee data. It also covers the processing of supporter data that is required for the fulfilment of financial transactions associated with their support of The Thanet. Wherever possible, however, condition 2.1 should also be met.
- The processing is necessary to comply with a legal obligation other than an obligation imposed by contract – this condition can be applied to the processing of personal data necessary to meet the legal obligations of the organisation. Wherever possible, however, condition 2.1 should also be met.
- The processing is necessary for the data controller’s legitimate interests – the Data Protection Commissioner takes the view that this condition can be relied upon in relation to employment data if its processing meets the requirements of the Codes of Practice on Data Protection and Employment. Wherever possible, however, condition 2.1 should also be met.
- The Conditions For Processing Sensitive Personal Data
In line with the terms of the Act, sensitive personal data must only be processed if one of the conditions listed in section 2 has been met AND one of the following conditions has been met.
- The data subject has given his or her explicit consent to the processing – this means that wherever possible, when sensitive personal data is obtained the data subject’s verbal or written agreement to the processing of this data must be obtained and a record made of this consent.
- The processing is necessary for the purposes of exercising statutory functions – this covers processing related, for example, to the administration of maternity pay. Wherever possible condition 3.1 should also be met.
- The processing is performed under a legal obligation in connection with employment – Wherever possible condition 3.1 should also be met.
- The Purposes For Which Personal Data Will Be Used
Under the terms of the Act, personal data should be processed only in a manner compatible with one or more specified and lawful purposes. The purposes for which personal data held by The Thanet may be used are listed below, and no member of staff or volunteer should process personal data for any other purpose. In addition, no member of staff or volunteer should process personal data in any way listed below if this would violate a data subject’s exercised rights in relation to either data processing likely to cause substantial, unwarranted distress to themselves or direct marketing.
4.1 Personal Data Relating to members and service users – this data may be used for the following purposes.
- To contact by post, telephone, fax, e-mail or text message, as appropriate, with information about The Thanet’s services and activities.
- To register attendance at services and activities.
- To monitor and evaluate services and activities both for both internal and external purposes to enable us to review, develop and improve our activities.
- To contact next of kin in the event of emergencies.
- Personal data relating to employees (current and past) trustees/directors, job applicants and volunteers – this data may be used for the following purposes.
- Monitoring the recruitment process (from enquiry to appointment)
- Administration and payment of salaries;
- Employee training;
- Career development;
- Consulting or communicating;
- Compliance with The Thanet’s policies;
- Compliance with legislation in relation to health, safety and other employment matters;
- Analysis for management purposes;
- Statutory returns.
4.3. Personal Data relating to partners, donors and supporters – this data may be used for the following purposes.
4.3.1 To contact the supporter by post, telephone, fax, e-mail or text message, as appropriate, with information about The Thanet’s activities and campaigns.
4.3.2 To help administer the ways they support The Thanet.
4.3.3 For research to enable us to review, develop and improve our activities and the services we offer supporters.
4.3.4 To enable us to meet our legal obligations relating to recording contributions and administering Gift Aid Declarations and Deeds of Covenant
- The Adequacy and Relevance of Personal Data
Under the terms of the Act, all personal data processed should be adequate, relevant and not excessive for the purposes listed under the relevant sub-section(s) of section 4. The following conditions should therefore be met before any member of staff, volunteer or data processor attempts to obtain personal data.
5.1 The purpose(s) for which the personal data will be used should be clearly defined and understood.
5.2 All the types of personal data required for the purpose(s) identified under the relevant sub-section of section 4 should be identified and measures put in place to ensure that this data will be obtained.
5.3 It should be clearly understood that no types of personal data that are not required for the purpose(s) identified under the relevant sub-section of section 4 should be obtained.
- The Accuracy of Personal Data
In accordance with the Act, the following procedures should be followed to ensure that all personal data is kept accurate and up-to-date.
Any inaccuracy in personal data that is brought to the attention of a member of staff or volunteer (either by the data subject or as a result of the combination or alignment of two or more sources of data) should be corrected as soon as possible by an appropriate member of staff or volunteer.
Data subjects should be given the opportunity to view the data held about them by The Thanet. In particular, subject access requests must be responded to appropriately. All such requests should be directed to the Coordinator.
A yearly audit of all information held on our computerised record system (if one is established) will be held.
- The Retention of Personal Data
Under the terms of the Act, personal data should not be kept for longer than is necessary for the purpose(s) identified under section 4. The following procedures should therefore be followed.
7.1 Duration of Data Retention
7.1.1 Personal data relating to members, service users, supporters; donors funders, partners and suppliers – may be retained for as long as it is relevant for at least one of the purposes listed under section 4.1, and for as long as The Thanet continues to use data for this purpose/these purposes. If one or more of these purposes becomes obsolete a review of the types of data held should be made, and any types of data not required for the remaining purposes should be identified as needing to be erased or destroyed. The member of staff responsible for deeming the purpose obsolete should instigate this review.
7.1.2 Personal data relating to staff and volunteers – the following guidelines give an indication of how long the Thanet will keep personal and sensitive data on prospective, current and former employees:
- Application forms – unsuccessful candidates – one year
- All other information will be kept during the duration of employment
- A summary of record of service e.g. name, position, dates of employment will be kept for 10 years from the end of employment.
7.2 Procedures for erasing or destroying data – When no longer required, all personal data stored in hard copy form should be shredded prior to disposal. All personal data stored in electronic form should, when no longer required, be erased from all relevant databases, spread sheets or electronic lists.
- The Rights of the Data Subject
The Act gives data subjects specific rights relating to subject access; the processing of data in ways likely to cause substantial damage or distress; seeking compensation for damages and damages for distress; and direct marketing. Listed below are the implications for The Thanet and the procedures that should be followed to ensure that these rights are respected.
8.1 Subject access requests – a subject access request is a request from a data subject for details of the information held about them by the organisation. An organisation is required to respond appropriately within 40 days of receipt of a written subject access request. The following procedure should therefore be followed when responding to subject access requests.
8.1.1 All written or verbal subject access requests should be forwarded to the Data Protection Officer.
8.1.2 In the case of verbal subject access requests, the Data Protection Officer should contact the data subject to ask for written confirmation of their request.
8.1.3 On receipt of a written subject access request, the Data Protection Officer should then take steps to confirm the identity of the person making the subject access request. This should be done by comparing the correspondence address and other details on the subject access request with information on our database. If necessary, the Data Protection Officer should contact the person making the subject access request to ask for further proof of identity.
8.1.4 The Data Protection Officer should then contact the data subject in writing to confirm that they will receive a response within 40 days of the receipt of their written subject access request. The latest date on which they should expect to receive a response should be given.
8.1.6 No later than 40 days after receipt of the written subject access request, the Data Protection Officer should provide the data subject with the following.
- Confirmation that their personal data is or is not being processed.
- A description of the type of information kept, the purposes it is used for, and the type of organisations it is passed on to.
- A hard copy or readily readable, permanent electronic copy of all the personal data held, together with an explanation of any codes or other unintelligible terms used.
8.2 Processing likely to cause unwarranted substantial damage or distress to the data subject or to another – a data subject has the right to request that the Data Controller stops or prevents data processing where it can be shown, for specified reasons, that this processing is likely to cause substantial, unwarranted distress to them or to another. The data subject does not, however, have the right to require the Data Controller to stop or prevent such processing. In the case of such a request, the following procedure should be followed:
8.2.1 The request should be forwarded to the Data Controller
8.2.2 The Data Controller should determine whether the data subject has demonstrated that the processing is likely, for specified reasons, to cause substantial, unwarranted distress to them or to another. If this has not been demonstrated, the Data Controller should ask the data subject for further clarification and explain that their request to stop or prevent data processing cannot be addressed until these conditions have been met.
8.2.3 The Data Controller should determine whether compliance with the data subject’s request would have a significant, detrimental effect on the efficient or effective functioning of the organisation.
8.2.4 In the event that compliance with the data subject’s request would interfere with the efficient or effective functioning of the organisation, the Data Controller should contact the data subject to refuse their request to stop or prevent data processing, and explain in detail the reason(s) for this refusal. If compliance with the data subject’s request would not interfere with the efficient or effective functioning of the organisation, the Data Controller should take all reasonable steps to ensure that the relevant processing is stopped or prevented, and should then notify the data subject that these steps have been taken.
8.3. Compensation for damages and damages for distress – Legal advice should be sought on a case-by-case basis prior to any response to a request for compensation for damages and damages for distress.
- Protecting Personal Data from Unauthorised or Unlawful Processing, Accidental Loss, Destruction, or Damage
In accordance with the Act, the following technical and organisational measures should be adhered to in order to protect personal data from unauthorised or unlawful processing, accidental loss, destruction, or damage.
10.1 Personal data should not be obtained, recorded, held, organised, adapted, altered, retrieved, consulted, disclosed (by transmission, dissemination or otherwise making available), analysed, aligned, combined, blocked, erased or destroyed on behalf of for any other purpose than those listed under the relevant sub-section(s) of section 4.
10.2 No member of staff or volunteer should process personal data held by The Thanet at any time or for any purpose that is not associated with the fulfilment of their role within The Thanet.
10.3 Wherever possible, personal data processed electronically should be held at The Thanet or within other programmes or files located within The Thanet’s computer directory, or on external databases with password protected access restricted to authorised Thanet Personnel. Holding or otherwise processing personal data on the local hard-drives of personal, laptop or notebook computers or within other electronic devices should be avoided wherever possible. If it is necessary to hold personal data outside the Thanet’s computer (for example, when working away from The Thanet office), the data should, wherever possible, be transferred back to the Thanet’s computer database at the earliest opportunity.
10.4 Wherever possible, if it is necessary to hold personal data on the hard drive of a personal computer or other electronic device, the member of staff or volunteer processing the data in this way should ensure that it is protected by a password known only to relevant members of staff and volunteers.
10.5 Data should only be held in hard copy form in a locked filing cabinet (either exclusively or in addition to being held electronically) where rendered necessary by the format in which the data is received or by the purposes for which the data is or is to be used. Wherever possible and appropriate, data recorded in hard copy form should be transferred to electronic form at the earliest opportunity (where consent to record data electronically has been provided). Personal data held in a hard copy form should only be removed from The Thanet office when absolutely necessary, and should be returned at the earliest opportunity.
10.6 The Data Controller at the Thanet is responsible for providing staff and volunteers with the password attached giving access and/or other processing rights to all and only those sources of personal data at The Thanet relevant to their role within The Thanet.
10.7 Each member of staff and volunteer should ensure that they do not divulge to any other person the password that gives them access and/or other processing rights those sources of personal data within The Thanet’s computer directory.
10.8 Personal data held by The Thanet should not be disclosed by any member of staff or volunteer to any other member of staff or volunteer who does not have at least equal processing rights in relation to the data in question.
10.9 Data held within electronic or hard-copy files shared by more than one member of staff and/or volunteer should not be organised, reorganised, altered or adapted in any way which makes any of the data inaccessible to any of the individuals sharing it.
10.10 Personal data should only be disclosed to parties external to The Thanet if the party receiving the information is bound by contract to abide by the Data Protection Act 1998
10.11 When transferring or copying personal data using any system which places the data beyond the immediate and exclusive control of The Thanet, appropriate measures must be taken to ensure that the data is protected from unauthorised access during this transfer. For example, when personal data is emailed it should be sent within a file that is protected by a password known only to relevant members of staff, volunteers and data processors. And when personal data is sent through the post a suitable secure or recorded delivery service should be used.
10 12. Wherever possible, if data held is in hard copy form or on a portable electronic device, the hard copy or device should be stored securely when not being supervised by a relevant member of staff or volunteer. In some cases this may mean ensuring that the hard copy or device is protected by The Thanet’s normal overnight security system. In other cases, and particularly when working away from The Thanet office, it may be necessary to store the hard copy or device in a lockable filing cabinet or safe. Where possible, cable locks should be used on portable computers at all times, whether the computer is being used or stored within The Thanet office or off-site.
- Direct Marketing
Data subjects have the right to stop or prevent the processing of their data for the purposes of direct marketing. The Thanet will treat the following unsolicited direct communication with individuals as marketing:
11.1 seeking donations and other financial support;
11.2 promoting any Thanet services;
11.3 promoting Thanet events;
11.4 promoting sponsored events and other fundraising exercises;
11.5 marketing on behalf of any other external company or voluntary organisation.
Whenever data is first collected which might be used for any marketing purpose, this purpose will be made clear, and the Data Subject will be given a clear opt out. If it is not possible to give a range of options, any opt-out which is exercised will apply to all Thanet marketing. The Thanet does not have a policy of sharing lists, obtaining external lists or carrying out joint or reciprocal mailings.
The Thanet will only carry out telephone marketing where consent has been given in advance, or the number being called has been checked against the Telephone Preference Service.
Whenever e-mail addresses are collected, any future use for marketing will be identified, and the provision of the address made optional.
- Transferring Personal Data to a Country or Territory Outside the European Economic Area
In accordance with the terms of the Act, personal data should not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.
Photographic images taken at The Thanet, if they show a recognisable person, are personal data and are covered by the Data Protection Act.
- Staff training and acceptance of responsibilities
All staff who have access to any kind of personal data will be given copies of all relevant policies and procedures during their induction process, including the Data Protection policy and the operational procedures for handling personal data. All staff will be expected to adhere to all these policies and procedures.
Data Protection will be included in the induction training for all volunteers.
The Thanet will provide opportunities for staff to explore Data Protection issues through training, team meetings, and supervisions.
- Disclosure and Barring Service checks
If an individual is requested to supply The Thanet with a copy of a recent Disclosure and Barring Service (DBS) Certificate in connection with their role as a staff member or volunteer at The Thanet, we will:
16.1 not disclose information contained within that DBS Certificate to any person who is not a member, officer or employee of the Thanet, unless a relevant legal exception applies;
16.2 not disclose information to any member, officer or employee where it is not related to that employee or volunteer’s duties;
16.3 not knowingly make a false statement for the purpose of obtaining, or enabling another person to obtain, a Certificate; and
16.4 once that DBS Certificate has been reviewed, we will destroy any paper copies provided to us as soon as possible, and within at least six months of receipt.
- Policy review
The policy will be reviewed annually by Victoria Green, Coordinator and approved by the Board of Directors and Charity Trustees. It will also be reviewed in response to changes in relevant legislation, contractual arrangements, good practice or in response to an identified failing in its effectiveness.